README.md

Weekly updated list of missing CVEs in nuclei templates official repository

Note This repository is 100% automated so there can be errors, but in general is pretty accurate. Go to section "How it works" to understand how data is collected.

Stats 📊

CVEs analyzed: 160816

CVEs missing: 64646

Dropdown by vuln type:

Type	Count	Data
XSS	22950	xss.txt
RCE	3278	rce.txt
SQL Injection	12540	sqli.txt
Local File Inclusion	380	lfi.txt
Server Side Request Forgery	390	ssrf.txt
Prototype Pollution	301	proto-pollution.txt
Request Smuggling	108	req-smuggling.txt
Open Redirect	442	open-redirect.txt
XML External Entity	474	xxe.txt
Path Traversal	3760	path-traversal.txt
Server Side Template Injection	90	ssti.txt
Denial of Service	15572	dos.txt

Dropdown by year:

Year	Count	Data
1999	40	1999.txt
2000	48	2000.txt
2001	74	2001.txt
2002	150	2002.txt
2003	118	2003.txt
2004	332	2004.txt
2005	701	2005.txt
2006	1487	2006.txt
2007	1581	2007.txt
2008	2535	2008.txt
2009	1244	2009.txt
2010	1182	2010.txt
2011	684	2011.txt
2012	905	2012.txt
2013	900	2013.txt
2014	1541	2014.txt
2015	1941	2015.txt
2016	1850	2016.txt
2017	2846	2017.txt
2018	3345	2018.txt
2019	2647	2019.txt
2020	3537	2020.txt
2021	4056	2021.txt
2022	4789	2022.txt
2023	6497	2023.txt
2024	10449	2024.txt
2025	7652	2025.txt
2026	1515	2026.txt

Why 🤔

• Bug bounty: the CVE templates in the official nuclei-templates repo are completely useless for bug bounty. This because everyone is using those templates looking for low hanging fruit. Build your own templates for new (and old!) CVEs, scan all the possible targets and don't forget to share them in the official nuclei-templates repo.
• General Security: Security people can write their own templates for missing CVEs and use them to secure products during pentests, vuln assessments, red team ops and so on... every user will benefit from these actions. If they are very good security people they'll share the templates in official nuclei-templates repo helping the whole infosec community.
• Stats & Data lover: I love data and statistics and I hope people like me will enjoy.

How it works 🖥️

Automated Logic:

for each cve in trickest/cve:
    if this cve not present in nuclei-templates:
        if it contains one of the words we are looking for:
            if it is a CVE suitable for nuclei:
                print it

• Which are the "words we are looking for"? reflected, rce, local file inclusion, server side request forgery, ssrf, remote code execution, remote command execution, command injection, code injection, ssti, template injection, lfi, xss, Cross-Site Scripting, Cross Site Scripting, SQL injection, Prototype pollution, XML External Entity, Request Smuggling, XXE, Open redirect, Path Traversal, Directory Traversal and Denial of Service.

• This means the tracked vulnerability types are: XSS, RCE, SQL injection, Local File Inclusion, Server Side Request Forgery, Prototype Pollution, Request Smuggling, Open Redirect, XML Enternal Entity, Path Traversal, Server Side Template Injection and Denial of Service; but new vuln types will be supported.

• Why there can be errors in categorizing CVEs? Because when grepping for these words there can be false positives, meaning that an XXE vulnerability can be categorized as RCE because e.g. it says "in certain situations can be escalated to rce".

• Why if I subtract the "CVEs missing" from the "CVEs analyzed" I don't get the exact official nuclei templates count? Because as said before the tracked vuln types are just 10 (the most famous ones), but a lot of other types are reported as well (and they will be supported).

• What does it mean a CVE is suitable for Nuclei? Basically a remote web or network vulnerability (e.g. a CVE on Android is not suitable).

Contributing 🛠

Just open an issue / pull request.

Thanks 💝

• @ProjectDiscovery
• @Trickest

License 📝

This repository is under MIT License.
edoardottt.com to contact me.